SecurityFocus.com Microsoft Newsletter #60

From: Marc Fossi (mfossi@securityfocus.com)
Date: 11/12/01


Date: Mon, 12 Nov 2001 12:38:37 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>
Subject: SecurityFocus.com Microsoft Newsletter #60
Message-ID: <Pine.GSO.4.30.0111121238210.4046-100000@mail.securityfocus.com>

SecurityFocus.com Microsoft Newsletter #60
------------------------------------------

This Issue Sponsored by: GFI <http://www.gfi.com/>

Get your FREE LANguard Security Event Log Monitor!

Catch hackers red-handed with GFI's LANguard S.E.L.M.! Performs intrusion
detection through network-wide monitoring of the security event logs of
all NT/2000 servers and workstations. Extensive reporting identifies all
machines being targeted & local users trying to hack. Get your FREE COPY &
white papers from: http://www.gfi.com/securityfocusoffer

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Advertising Information
     2. Virtual Honeynets
     3. Basic Security Checklist for Home and Office Users
II. MICROSOFT VULNERABILITY SUMMARY
     1. Microsoft Internet Explorer Cookie Disclosure/Modification...
     2. Zone Labs ZoneAlarm Pro Unauthorized Local Security Settings...
     3. Raptor Firewall Zero Length UDP Packet Resource Consumpt...
     4. PHP Nuke Copying and Deleting Files Vulnerability
     5. Ipswitch WS_FTP Server 'STAT' Buffer Overflow Vulnerability
     6. Entrust GetAccess File Disclosure Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Anybody know what this is? (Thread)
     2. Tunnelling SMB over SSH or SSL (Thread)
     3. Administrivia (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. Window Washer
     2. WebTrends Firewall Reporting Solutions
     3. Security Analyzer
     4. Tumbleweed Secure Statements
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. NTLM Authorization Proxy Server v0.9.5
     2. Bouncer v0.9.5
     3. Socks via HTTP v0.40
     4. Stunnel v3.21b
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Advertising Information

Reach the LARGEST audience of security professionals with SecurityFocus
direct e-marketing NOW!

SecurityFocus is the Web's most successful security intelligence site,
with more than 200,000 unique monthly visitors (September 2001), and
growing rapidly each week. Leverage the security portal of unrivaled
credibility and influence in your next direct marketing campaign.

To find out how SecurityFocus Web marketing and opt-in email newsletter
sponsorships can drive your company's success, contact us at
adsales@securityfocus.com, or download the Advertising Kit at
http://www.securityfocus.com/about/press/adverts.shtml.  To speak directly
with a customer service representative, please call +1(650) 655-6350.

2. Virtual Honeynets
by Michael Clark

A honeynet is a tool that can be used to learn about the targets, methods
and tools used by intruders when compromising a system, it consists of a
network of production systems that are designed to be compromised. Whereas
a honeypot usually consists of one machine,a honeynet is a network of
computers. This article will offer a brief overview of honeynets, and will
examine how to set up a one-machine honeynet using VMware.

http://www.securityfocus.com/infocus/1506

3. Basic Security Checklist for Home and Office Users
by Anton Chuvakin, Ph.D. and Ken Dunham, A-Z Computer Consulting

As the complexity of information systems increases, security decreases.
For example, Microsoft Word macro viruses and e-mail script viruses play
upon the "ease of use" features embedded within Microsoft products. Such
software is very complex, prone to containing multiple bugs and security
vulnerabilities. Unfortunately, current trends indicate that software will
become increasingly complex and less secure (even though measures are
being taken to make them more secure). As the number of users on home and
business networks naturally increases, the importance of user education
rises accordingly. Security checklists offer a framework of secure
behavior that can and should be implemented by all users, regardless of
their level of expertise, the sophistication of application being used of
the context in which it is being used.

http://www.securityfocus.com/infocus/1504

II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Internet Explorer Cookie Disclosure/Modification...
BugTraq ID: 3513
Remote: Yes
Date Published: Nov 09, 2001
Relevant URL:
http://www.securityfocus.com/bid/3513
Summary:

Internet Explorer contains a vulnerability, which could allow an attacker
to construct a URL that would display or modify the cookie information
associated with an arbitrary website.

If a URL is composed in the about: protocol referencing a website,
Javascript embedded in the URL can access any cookies associated with that
website via 'document.cookie'. The Javascript executes because of a
cross-site scripting condition in the about: protocol.

2. Zone Labs ZoneAlarm Pro Unauthorized Local Security Settings
BugTraq ID: 3512
Remote: Yes
Date Published: Nov 06, 2001
Relevant URL:
http://www.securityfocus.com/bid/3512
Summary:

A vulnerability exists in ZoneAlarm, which could allow an unauthorized
user to connect to a host with local intranet security settings.

If the first two octets of a visitors IP address are identical to those of
the local host, ZoneAlarm will allow the visiting user to access the host
with local security settings.

3. Raptor Firewall Zero Length UDP Packet Resource Consumption
BugTraq ID: 3509
Remote: Yes
Date Published: Nov 05, 2001
Relevant URL:
http://www.securityfocus.com/bid/3509
Summary:

Raptor Firewall is a commercially available firewall implementation
distributed by Symantec.

A problem with the handling of UDP packets by the firewall has been
discovered. When the firewall receives zero length UDP packets, the
machine hosting the firewall becomes processor bound, with the firewall
taking 100% of the CPU.

This makes it possible for a remote user to crash the firewall, denying
service to legitimate users of network resources. A reboot is required for
the system to resume normal operation.

and eventually in a kernel panic. At this point a system reboot will be
required to regain normal functionality.

4. PHP Nuke Copying and Deleting Files Vulnerability
BugTraq ID: 3510
Remote: Yes
Date Published: Nov 05, 2001
Relevant URL:
http://www.securityfocus.com/bid/3510
Summary:

PHP Nuke is a web portal creation and management package, implemented in
the PHP scripting language. The default installation includes the script
'admin/case/case.filemanager.php', which can be used to copy and delete
files on the server file system.

While the script contains code used to ensure it is only called by an
administrative script responsible for user authentication, the
implementation of this is flawed. As a result, any remote user may call
the script directly without authenticating, and copy and delete any file
on the server, subject to the user permissions under which the script
executes.

5. Ipswitch WS_FTP Server 'STAT' Buffer Overflow Vulnerability
BugTraq ID: 3507
Remote: Yes
Date Published: Nov 05, 2001
Relevant URL:
http://www.securityfocus.com/bid/3507
Summary:

WS_FTP Server, a popular FTP server for Microsoft Windows platforms, is
vulnerable to a buffer overflow condition when a user submits a specially
crafted legitimate FTP command. WS_FTP Server by default runs as a SYSTEM
service.

If a logged in user submits a 'STAT' command along with arbitrary
characters (approx 479 bytes) to a host running WS_FTP Server, this could
result in the overwriting of stack variables, including the return
address, and potentially the execution of arbitrary code with SYSTEM
privileges.

6. Entrust GetAccess File Disclosure Vulnerability
BugTraq ID: 3508
Remote: Yes
Date Published: Nov 05, 2001
Relevant URL:
http://www.securityfocus.com/bid/3508
Summary:

Entrust GetAccess allows administration of individual user access rights
and customer profiles on high-volume 'portal' websites.

The default shellscripts that are bundled with Entrust GetAccess do not
sufficiently validate user-supplied input. A remote attacker can make a
web request containing '../' sequences, null characters or shell
metacharacters to access resources (such as web-readable files) outside of
the wwwroot directory on a vulnerable host. The web request must contain
certain parameters to be successful.

Sensitive information disclosed in arbitrary web-readable files may
facilitate further "intelligent" attacks on the host.

IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Anybody know what this is? (Thread)
Relevant URL:

20011107184536.56231.qmail@web14402.mail.yahoo.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20011107184536.56231.qmail@web14402.mail.yahoo.com&threads=1

2. Tunnelling SMB over SSH or SSL (Thread)
Relevant URL:

01110710162505.23725@movitslinux.bloomberg.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=01110710162505.23725@movitslinux.bloomberg.com&threads=1

3. Administrivia (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.GSO.4.30.0111061252420.7602-100000@mail&threads=1

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Window Washer
by Webroot
Platforms: Windows 95/98, Windows NT, Windows 2000
Relevant URL:
http://www.webroot.com/washer.htm
Summary:

Window Washer cleans the tracks left behind on your computer by today's
latest browsers, including... -Cache -Cookies -History -Mail Trash -Drop
Down Address Bar -Auto Complete Data forms -Downloaded Program Files
Window Washer works with IE, Netscape, NeoPlanet, AOL, Compuserve, Opera
and more!

2. WebTrends Firewall Reporting Solutions
by WebTrends
Platforms: Windows NT, Windows 2000
Relevant URL:
http://www.webtrends.com/products/firewall/default.htm
Summary:

WebTrends Firewall Reporting Solutions provide essential information about
the activity around your firewall or firewall appliance in
easy-to-interpret reports. IT managers, webmasters and security
professionals can leverage these reports to assess the state of their
network and eliminate security threats and network abuses before they
arise.

3. Security Analyzer
by NetIQ
Platforms: Linux, Solaris, Windows 95/98, Windows NT, Windows 2000
Relevant URL:
http://www.netiq.com/products/sa/default.asp
Summary:

NetIQ's Security Analyzer helps you secure your corporate systems and
networks by automatically detecting the latest known security
vulnerabilities and providing extensive reports and guidance on how to
address them.

4. Tumbleweed Secure Statements
by Tumbleweed Communications
Platforms: Windows 95/98, Windows NT, Windows 2000
Relevant URL:
http://www.tumbleweed.com/en/products/solutions/extend_network/statements.html
Summary:

Tumbleweed Secure Statements enables organizations to automate the secure
delivery of business documents, such as trade confirmations, PINs, and
other sensitive or confidential information. Tumbleweed Secure Statements
provides S/MIME encryption, coupled with single sign-on and detailed
tracking and reporting.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. NTLM Authorization Proxy Server v0.9.5
by Dmitry Rozmanov
Relevant URL:
http://www.geocities.com/rozmanov/ntlm/
Platforms: Windows 95/98, Windows NT
Summary:

'NTLM Authorization Proxy Server' is a proxy software that allows you to
authenticate via an MS Proxy Server using the proprietary NTLM protocol.
It can change arbitrary values in your client's request header so that
those requests will look like they were created by MS IE. It is written in
Python v1.5.2 language.

2. Bouncer v0.9.5
by Chris Mason chris@r00t3d.org.uk
Relevant URL:
http://www.r00t3d.org.uk/bin/
Platforms: FreeBSD, Linux, OpenBSD, Windows 2000, Windows NT
Summary:

Bouncer is a network tool which allows you to bypass proxy restrictions
and obtain outside connections from an internal LAN. It uses SSL
tunneling, which allows you to obtain a constant streaming connection out
of a proxy. If you are restricted behind a proxy and can access secure
online ordering sites, then you can get out to whatever host on whatever
port you want. It also supports a lot of other features including socks 5,
basic authentication, access control lists, and Web-based administration,
and will run on Windows, Linux, and FreeBSD.

3. Socks via HTTP v0.40
by Florent Cueto
Relevant URL:
http://cqs.dyndns.org/socks/
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:

Socks via HTTP is a program to tunnel socks via HTTP. It is entirely
written in Java.

4. Stunnel v3.21b
by Michal Trojnara, Michal.Trojnara@centertel.pl
Relevant URL:
http://stunnel.mirt.net/
Platforms: FreeBSD, Linux, Windows 2000, Windows 95/98, Windows NT
Summary:

The stunnel program is designed to work as an SSL encryption wrapper
between remote client and local (inetd-startable) or remote server. It can
be used to add SSL functionality to commonly used inetd daemons like POP2,
POP3, and IMAP servers without any changes in the programs' code. It will
negotiate an SSL connection using the OpenSSL or SSLeay libraries. It
calls the underlying crypto libraries, so stunnel supports whatever
cryptographic algorithms you compiled into your crypto package. This
release includes a timeout for the transfer() function, and a fix for a
coredump on exit with active threads.

VI. SPONSORSHIP INFORMATION
---------------------------
This Issue Sponsored by: GFI <http://www.gfi.com/>

Get your FREE LANguard Security Event Log Monitor!

Catch hackers red-handed with GFI's LANguard S.E.L.M.! Performs intrusion
detection through network-wide monitoring of the security event logs of
all NT/2000 servers and workstations. Extensive reporting identifies all
machines being targeted & local users trying to hack. Get your FREE COPY &
white papers from: http://www.gfi.com/securityfocusoffer

-------------------------------------------------------------------------------



Relevant Pages

  • Re: MS and security: good effort but no cigar
    ... Microsoft saved money by making NT without a new maintenance ... build upon the progress it's already made in security. ... The low-hanging fruit of millions of insecure Windows machines ... Then there's the issue of poorly secured server applications. ...
    (microsoft.public.windowsxp.general)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • Re: Thou shalt have no other gods before the ANSI C standard
    ... Microsoft is a big part of the real world. ... > The kinds of security bugs Microsoft is facing today are far ... 2003 Server was supposed to be completely "overhauled" by ... on breaking windows platforms doesn't help. ...
    (sci.crypt)
  • SecurityFocus Microsoft Newsletter #103
    ... MICROSOFT VULNERABILITY SUMMARY ... Computalynx CMail POP3 Server DELE Function Denial Of Service... ... IIS and Frontpage Extensions Vulnerability. ... This article will offer a brief overview of some of the steps security ...
    (Focus-Microsoft)